Ubuntu LDAP Authentication

So you have an ubuntu server that you’d like to do LDAP authentication on. Here are the quick and dirty steps. Note that I’m leaving out a lot of additional options and tweaks as many will be situationally different.

Make sure you have the packages you’ll need :
sudo apt-get install ldap-auth-client nscd libpam-ldap libnss-ldap libpam-cracklib

You’ll be prompted for a few things during that install. The first will be for the LDAP hostname. Then you’ll need to provide the search base, and then the version. Anything else can likely be defaulted, but read these things carefully as the packages can change, and so will the prompts and values.

Now do this :sudo auth-client-config -t nss -p lac_ldap

You need to create a file : sudo vi /usr/share/pam-configs/my_mkhomedir and populate it with this info :

Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
required pam_mkhomedir.so umask=0022 skel=/etc/skel

Now run : sudo pam-auth-update

The defaults on the prompts are probably fine.

If you have shell data in your LDAP, you might need to add some links so that the shells can be located. This is especially useful if you run multiple OSs with multiple shells. Something like sudo ln -s /bin/bash /usr/local/bin/bash should work, but obviously you’ll need to do this for each shells so that the linked file and the target match the LDAP and system values. This is probably the single most overlooked aspect to LDAP auth that I’ve seen, and it can be a deal breaker if you miss it.

If you use a group, such as ‘wheel’, on your network instead of ‘adm’, then edit “/etc/sudoers” to have this : %wheel ALL=(ALL) ALL

Finally, run sudo /etc/init.d/nscd restart and you should be all set.

Ubuntu LDAP Authentication

Leave a Reply